Hackers made a Bitcoin ransom demand of $70,000. Payroll and employee’s personal information were not the only thing at stake, as staff were forced to shut down over 2100 machines, including ticket kiosks, leaving customers across the city to enjoy free rides – an unexpected bargain for Black Friday shoppers.

HDDCryptor ransomware is especially disruptive as it does more than just target files on the local disk or network. It also encrypts and locks the hard drive. Customers were greeted with messages like the one seen on the screen below as they approached ticket machines with money in hand. (Makes you think: if the attackers thought this one through, it could have been so much worse.)

So how did this happen if ticket machines aren’t used to browse the web, open files or have USB portaccess?

Well, this was not a hack. It’s likely a result of a user on the corporate network, clicking on something seemingly benign, like an email attachment, on a system running legacy (AKA detection only) based security. I have no doubt SFMTA tried to do the right thing, i.e. were fully patched, had all security programs at all layers updated and active. This, sadly, isn’t enough. The undetected malware was able to move laterally from a user’s machine with web and email access to any machine it had network access to, including servers and ticket kiosks. Damage could have been minimized at little cost if they practiced the concept of least privileged or need-to-know access. Network segmentation should be the first layer to prevent malware proliferation and if practiced, the SFMTA may have had some corporate machines infected but the exposure would have been limited and wouldn’t have cost the city upwards of $1.5 million in lost revenue over the course of the weekend.

How Bromium leverages least privilege to defeat attacks.

Bromium applies the concept of least privilege or “need to know” in its core architecture, Micro-virtualization. In the figure below, the “pie” slices on the right side are simple but potentially dangerous user tasks such as an email attachment or browser tab opened on a user PC. These tasks have no reason to have any access to the user’s desktop or network, and therefore any direct access is restricted. This is, at a very granular level, least privileged access. These tasks are then automatically discarded when the tab or document is closed, throwing any malware away along with it.

Think of user PCs as the isolated tasks: do they need access to all parts of the network, to all servers, to all databases? No, they don’t, so why not restrict access where you can?

To help avoid situations like this, it’s time to strengthen your security posture with products that approach the problem differently and get back to basics by limiting what your most risky network segments, and users for that matter, have access to.

We can help you figure out the best approach so you don’t spend your next holiday weekend at the office.

You can learn more about how Muni is continuing to manage the situation here.